Why tasking is important in a threat intelligence team (using NSA’s UTT as example)
Following the theme of my previous posts, I have published an educational video that goes through the well known PRISM slidedeck from the NSA. That slidedeck has tons of useful information for anyone working in threat intelligence, but I’d like to focus on one area only to make this blog post quick and comprehensive. I want to focus on the Unified Targeting Tool (UTT) that was mentioned and explained there.
What I liked about UTT was its pure focus in tasking (meaning assigning intelligence tasks such as collection, exploitation, etc. when the information is not readily available to analysts), something that in the private sector we tend to usually ignore. The job of your analysts isn’t to go out and chat with cyber-criminals, create sock puppet accounts, negotiate with vendors, etc. it is to use all the available information to build intelligence. The above operations are part of the tasking & collection.
Here is a screenshot of the UTT slide I reconstructed for my video and in summary what it says is that the analyst uses UTT to fill in a web form with the information they need from PRISM (but for the sake of this blog post assume your own threat intelligence data lake). Then UTT had two paths, one was for searching in records it already had and the other was for searching for near-realtime information (AKA surveillance). This distinction is CRUCIAL in tasking as intelligence gathering is usually not as time-sensitive as surveillance. Then it does a series of checks (like is this for a U.S. citizen) and if the information wasn’t available the FBI was tasked to go the relevant companies and get/collect that data and feed them back to PRISM.
Now if I had to redesign this for a private entity, what I would do is something like what you see below. Having a solid tasking process for threat intelligence is extremely beneficial for the entire intelligence function. But before going there, what I wrote is basically… First someone needs to review the analyst(s)’ request in case they try to access something which they are not allowed. Then, if it’s something you already have you pass it and if it isn’t, you open a ticket to your collectors to find it. If it’s a near-realtime (AKA surveillance) request, then you need to create the equivalent tracking rules and alerts. The great part is that most of that can be automated with modern TIP and SOAR solutions out there.
So what’s the value of a concrete tasking process (ideally accompanied with a tool like UTT)? Here is what:
- Provides visibility on what analysts are interested in (AKA helps develop/improve PIRs)
- Helps identify the best vendors/sources to focus on
- Create/maintain only alerting for threats the analysts care about
- Ensures analysts cannot just “read everything” which could result in serious privacy violations
- Useful to prioritize the intelligence collection and technical requirements
- Removes the need for analysts to get familiar with all the tools/vendors used (and change over time)
- Can help in deduplication of work when multiple identical requests are issued
- Analysts use their time to do analysis, not collection
xorl %eax, %eax 
Leave a Reply